1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * Support for SMB "signing" (message integrity) 29 */ 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/conf.h> 34 #include <sys/proc.h> 35 #include <sys/fcntl.h> 36 #include <sys/socket.h> 37 #include <sys/md4.h> 38 #include <sys/md5.h> 39 #include <sys/des.h> 40 #include <sys/kmem.h> 41 #include <sys/crypto/api.h> 42 #include <sys/crypto/common.h> 43 #include <sys/cmn_err.h> 44 #include <sys/stream.h> 45 #include <sys/strsun.h> 46 #include <sys/sdt.h> 47 48 #include <netsmb/smb_osdep.h> 49 #include <netsmb/smb.h> 50 #include <netsmb/smb_conn.h> 51 #include <netsmb/smb_subr.h> 52 #include <netsmb/smb_dev.h> 53 #include <netsmb/smb_rq.h> 54 55 #ifdef DEBUG 56 /* 57 * Set this to a small number to debug sequence numbers 58 * that seem to get out of step. 59 */ 60 int nsmb_signing_fudge = 0; 61 #endif 62 63 /* Mechanism definitions */ 64 static crypto_mechanism_t crypto_mech_md5 = { CRYPTO_MECH_INVALID }; 65 66 void 67 smb_crypto_mech_init(void) 68 { 69 crypto_mech_md5.cm_type = crypto_mech2id(SUN_CKM_MD5); 70 } 71 72 73 74 #define SMBSIGLEN 8 /* SMB signature length */ 75 #define SMBSIGOFF 14 /* SMB signature offset */ 76 77 /* 78 * Compute HMAC-MD5 of packet data, using the stored MAC key. 79 * 80 * See similar code for the server side: 81 * uts/common/fs/smbsrv/smb_signing.c : smb_sign_calc 82 */ 83 static int 84 smb_compute_MAC(struct smb_vc *vcp, mblk_t *mp, 85 uint32_t seqno, uchar_t *signature) 86 { 87 crypto_context_t crypto_ctx; 88 crypto_data_t key; 89 crypto_data_t data; 90 crypto_data_t digest; 91 uchar_t mac[16]; 92 int status; 93 /* 94 * This union is a little bit of trickery to: 95 * (1) get the sequence number int aligned, and 96 * (2) reduce the number of digest calls, at the 97 * cost of a copying 32 bytes instead of 8. 98 * Both sides of this union are 2+32 bytes. 99 */ 100 union { 101 struct { 102 uint8_t skip[2]; /* not used - just alignment */ 103 uint8_t raw[SMB_HDRLEN]; /* header length (32) */ 104 } r; 105 struct { 106 uint8_t skip[2]; /* not used - just alignment */ 107 uint8_t hdr[SMBSIGOFF]; /* sig. offset (14) */ 108 uint32_t sig[2]; /* MAC signature, aligned! */ 109 uint16_t ids[5]; /* pad, Tid, Pid, Uid, Mid */ 110 } s; 111 } smbhdr; 112 113 ASSERT(mp != NULL); 114 ASSERT(MBLKL(mp) >= SMB_HDRLEN); 115 ASSERT(vcp->vc_mackey != NULL); 116 117 /* 118 * Make an aligned copy of the SMB header 119 * and fill in the sequence number. 120 */ 121 bcopy(mp->b_rptr, smbhdr.r.raw, SMB_HDRLEN); 122 smbhdr.s.sig[0] = htolel(seqno); 123 smbhdr.s.sig[1] = 0; 124 125 /* 126 * Compute the MAC: MD5(concat(Key, message)) 127 */ 128 if (crypto_mech_md5.cm_type == CRYPTO_MECH_INVALID) { 129 SMBSDEBUG("crypto_mech_md5 invalid\n"); 130 return (CRYPTO_MECHANISM_INVALID); 131 } 132 status = crypto_digest_init(&crypto_mech_md5, &crypto_ctx, 0); 133 if (status != CRYPTO_SUCCESS) 134 return (status); 135 136 /* Digest the MAC Key */ 137 key.cd_format = CRYPTO_DATA_RAW; 138 key.cd_offset = 0; 139 key.cd_length = vcp->vc_mackeylen; 140 key.cd_miscdata = 0; 141 key.cd_raw.iov_base = (char *)vcp->vc_mackey; 142 key.cd_raw.iov_len = vcp->vc_mackeylen; 143 status = crypto_digest_update(crypto_ctx, &key, 0); 144 if (status != CRYPTO_SUCCESS) 145 return (status); 146 147 /* Digest the (copied) SMB header */ 148 data.cd_format = CRYPTO_DATA_RAW; 149 data.cd_offset = 0; 150 data.cd_length = SMB_HDRLEN; 151 data.cd_miscdata = 0; 152 data.cd_raw.iov_base = (char *)smbhdr.r.raw; 153 data.cd_raw.iov_len = SMB_HDRLEN; 154 status = crypto_digest_update(crypto_ctx, &data, 0); 155 if (status != CRYPTO_SUCCESS) 156 return (status); 157 158 /* Digest rest of the SMB message. */ 159 data.cd_format = CRYPTO_DATA_MBLK; 160 data.cd_offset = SMB_HDRLEN; 161 data.cd_length = msgdsize(mp) - SMB_HDRLEN; 162 data.cd_miscdata = 0; 163 data.cd_mp = mp; 164 status = crypto_digest_update(crypto_ctx, &data, 0); 165 if (status != CRYPTO_SUCCESS) 166 return (status); 167 168 /* Final */ 169 digest.cd_format = CRYPTO_DATA_RAW; 170 digest.cd_offset = 0; 171 digest.cd_length = sizeof (mac); 172 digest.cd_miscdata = 0; 173 digest.cd_raw.iov_base = (char *)mac; 174 digest.cd_raw.iov_len = sizeof (mac); 175 status = crypto_digest_final(crypto_ctx, &digest, 0); 176 if (status != CRYPTO_SUCCESS) 177 return (status); 178 179 /* 180 * Finally, store the signature. 181 * (first 8 bytes of the mac) 182 */ 183 if (signature) 184 bcopy(mac, signature, SMBSIGLEN); 185 186 return (0); 187 } 188 189 /* 190 * Sign a request with HMAC-MD5. 191 */ 192 void 193 smb_rq_sign(struct smb_rq *rqp) 194 { 195 struct smb_vc *vcp = rqp->sr_vc; 196 mblk_t *mp = rqp->sr_rq.mb_top; 197 uint8_t *sigloc; 198 int status; 199 200 /* 201 * Our mblk allocation ensures this, 202 * but just in case... 203 */ 204 if (MBLKL(mp) < SMB_HDRLEN) { 205 if (!pullupmsg(mp, SMB_HDRLEN)) 206 return; 207 } 208 sigloc = mp->b_rptr + SMBSIGOFF; 209 210 if (vcp->vc_mackey == NULL) { 211 /* 212 * Signing is required, but we have no key yet 213 * fill in with the magic fake signing value. 214 * This happens with SPNEGO, NTLMSSP, ... 215 */ 216 bcopy("BSRSPLY", sigloc, 8); 217 return; 218 } 219 220 /* 221 * This will compute the MAC and store it 222 * directly into the message at sigloc. 223 */ 224 status = smb_compute_MAC(vcp, mp, rqp->sr_seqno, sigloc); 225 if (status != CRYPTO_SUCCESS) { 226 SMBSDEBUG("Crypto error %d", status); 227 bzero(sigloc, SMBSIGLEN); 228 } 229 } 230 231 /* 232 * Verify reply signature. 233 */ 234 int 235 smb_rq_verify(struct smb_rq *rqp) 236 { 237 struct smb_vc *vcp = rqp->sr_vc; 238 mblk_t *mp = rqp->sr_rp.md_top; 239 uint8_t sigbuf[SMBSIGLEN]; 240 uint8_t *sigloc; 241 int fudge, rsn, status; 242 243 /* 244 * Note vc_mackey and vc_mackeylen gets filled in by 245 * smb_usr_iod_work as the connection comes in. 246 */ 247 if (vcp->vc_mackey == NULL) { 248 SMBSDEBUG("no mac key\n"); 249 return (0); 250 } 251 252 /* 253 * Let caller deal with empty reply or short messages by 254 * returning zero. Caller will fail later, in parsing. 255 */ 256 if (mp == NULL) { 257 SMBSDEBUG("empty reply\n"); 258 return (0); 259 } 260 if (MBLKL(mp) < SMB_HDRLEN) { 261 if (!pullupmsg(mp, SMB_HDRLEN)) 262 return (0); 263 } 264 sigloc = mp->b_rptr + SMBSIGOFF; 265 266 /* 267 * Compute the expected signature in sigbuf. 268 */ 269 rsn = rqp->sr_rseqno; 270 status = smb_compute_MAC(vcp, mp, rsn, sigbuf); 271 if (status != CRYPTO_SUCCESS) { 272 SMBSDEBUG("Crypto error %d", status); 273 /* 274 * If we can't compute a MAC, then there's 275 * no point trying other seqno values. 276 */ 277 return (EBADRPC); 278 } 279 280 /* 281 * Compare the computed signature with the 282 * one found in the message (at sigloc) 283 */ 284 if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0) 285 return (0); 286 287 SMBSDEBUG("BAD signature, MID=0x%x\n", rqp->sr_mid); 288 289 #ifdef DEBUG 290 /* 291 * For diag purposes, we check whether the client/server idea 292 * of the sequence # has gotten a bit out of sync. 293 */ 294 for (fudge = 1; fudge <= nsmb_signing_fudge; fudge++) { 295 (void) smb_compute_MAC(vcp, mp, rsn + fudge, sigbuf); 296 if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0) 297 break; 298 (void) smb_compute_MAC(vcp, mp, rsn - fudge, sigbuf); 299 if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0) { 300 fudge = -fudge; 301 break; 302 } 303 } 304 if (fudge <= nsmb_signing_fudge) { 305 SMBSDEBUG("sr_rseqno=%d, but %d would have worked\n", 306 rsn, rsn + fudge); 307 } 308 #endif 309 return (EBADRPC); 310 } 311